Reply to post: Re: @AC

Hidden Linux kernel security fixes spotted before release – by using developer chatter as a side channel

Charles 9 Silver badge

Re: @AC

That's not necessarily true. First, you can't be sure someone's actually working on bugs in any FOSS project unless there's some kind of assignment system in use. Remember, critical faults had been laying in common FOSS software for years sometimes. Second, you can never be sure the black hats came upon the fault first, already exploited it, and are just keeping their mouths shut to maximize the impact.

Having said that, this appears to be something of an intractable problem in that a necessary condition for fixing a fault is to make the fault known, which has the potential of making the problem (at least temporarily) worse. It's sort of like surgery: yes, it's often necessary, but opening someone up is never without risks. Heck, I don't even think formal verification can save us here since you can still have outside-context faults (I call them gestfaults) that combine quirks of multiple programs, each outside the others' scope.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021